‘These are fundamental to empowering individuals’ – ICO takes action against departments and councils over data requests
Ministry of Defence and Home Office are among those reprimanded over major backlogs that caused ‘significant distress’ to individuals. PublicTechnology finds out more.
Credit: Pixabay/Memed Nurrohmad
The Information Commissioner’s Office has taken action against major Whitehall departments, large local authorities, and the police for failing to meet transparency and data-protection obligations.
Reprimands issued to seven organisations all relate to subject access requests (SARs), which the regulator has claimed are crucial in bringing greater parity to the “power imbalance” between the state and the individual. The ICO said that, in many cases, “significant distress” has been caused by the failures of telecoms firm Virgin Media, and six public bodies: the Home Office; Ministry of Defence; Kent Police; and the London Boroughs of Hackney, Croydon, and Lambeth.
Data-protection law enshrines individuals’ right to ask an organisation it if holds personal data on them and, if so, how it is being used. Businesses and public bodies are also required to provide people with a copy of any personal information held on them. SARs must be responded to within one month – or three months if the request can be considered especially complex.
All of the organisations reprimanded and publicly called out “repeatedly failed” to meet their obligations, ICO investigators found.
“SARs are a gateway to evening out power imbalances: it is the one tool people have where they can demand equality.”
John Edwards, information commissioner
The probe was launched in light of complaints made against all the bodies in question. Some of these related to the provision of crucial information related to people’s personal history – including records of time spent in care, adoption records, and asylum case files – the failure to provide which has left a child “constantly at risk” in their home country while unable to complete their application, according to a complaint.
One complaint said: “I was in care for many years and my file has been lost through a cyberattack. The original paper file was destroyed previously so I cannot access any of my personal data relating to my childhood. The file contained sensitive details of trauma I suffered, and I feel now this emotional abuse cannot be answered for.”
Another added: “The delay in providing this information in relation of the allegations made against me is jeopardising my ability to defend myself and risks my whole career.”
'The foundation for many other rights'
Speaking to PublicTechnology, information commissioner John Edwards said that subject access requests are a hugely important – but often overlooked – part of the UK’s data-protection framework.
“They are absolutely fundamental in empowering individuals, and they provide the foundations for accessing many other rights – not just data protection,” he said. “If you do not know what data they have about you, you cannot protect yourself.”
The commissioner added: “They are a gateway to evening out the power imbalances: it is the one tool people have where they can demand equality. When we look at those complaints… we see that people are trying to understand aspects of their own life. If they were in a care home, for example, or they are trying to piece together their own history. In other cases, people are trying to protect themselves from harmful effects.”
Length of time in which organisations are required to respond to SARs – or three months for complex cases
Number of requests the Home Office failed to respond to within the required timeframe between March and November 2021
Typical length of time individuals had to wait to receive a SAR response from the Ministry of Defence
Proportion of requests Hackney council failed to respond to on time
In June – six months into his tenure as the national data-protection watchdog – Edwards wrote an open letter to the UK public sector to outline that the regulator would pursue a “revised approach” to working with government bodies, in which it would focus on raising standards.
This “will include working proactively with senior leaders across the public sector to encourage compliance, prevent harms before they occur and learn lessons when things have gone wrong”, as well as an effort to “reduce the impact of fines… [which] will mean an increase in public reprimands… with fines only issued in the most egregious cases”, Edwards wrote.
The commissioner told PublicTechnology that publicising the action taken against the seven organisations – none of which have been fined at this point – is “very much” part of the new approach. The next step is to help them do better.
“We will work with organisations who want to improve, and we will give them guidance and tools to get them where they want to be. But, if they are failing to meet their statutory obligations, we will call it out,” he said. “We are going to be developing more resources: we are talking about designing a tool for people to make requests – which will help people narrow their request – and we will also deliver targeted guidance [for public bodies].”
Breaches and responses
The Ministry of Defence was issued with a formal reprimand after a build-up of unanswered access requests that now stands at 9,000. Individuals submitting a SAR can expect to wait more than a year to receive a response, according to the ICO.
The Home Office, meanwhile, failed to respond to 21,000 requests within the required timeframe between March and November 2021. As of July this year, the department is yet to deal with 3,000 SARs that are overdue for response. A reprimand has been issued.
For the local public-services bodies called out by the ICO, the volumes of requests in question are much lower: totaling hundreds each year, rather than the tens of thousands sent to the biggest Whitehall departments.
But the rate of failure – and the impact on individuals affected – is comparable.
“I was in care and my file has been lost through cyberattack. The paper file was destroyed previously, so I cannot access any of my personal data relating to my childhood.”
Hackney has been reprimanded after an investigation found that, from April 2020 to February 2021, the borough council failed to respond within three months to more than 60% of requests – including some individuals that waited almost two years to hear back. The regulator found that Croydon only responded to about half of requests within the mandated timeframe, while Lambeth failed to do so in one in four instances.
All three councils have been reprimanded, with Hackney and Croydon also being given a practice recommendation for specific improvement.
Kent Police has received a reprimand in respect of its failure to respond on time to about 40% of requests analysed by investigators – including some that went unanswered for more than 18 months.
Virgin Media received almost 10,000 SARs during a six-month period in 2021, of which 14% did not receive a response in the required time period. The company has been reprimanded.
All seven organisations have been given a period of three to six months to improve – or face the possibility of further action.
PublicTechnology contacted all the organisations reprimanded requesting comment. Below are the responses we have received thus far. It will be updated if and when additional responses are received.
A spokesperson for the Ministry of Defence said: “We take our obligations under the Data Protection Act 2018 and UK General Data Protection Regulation very seriously, and we are working hard to remove delays to subject access requests in the one area identified by the Information Commissioner’s Office. Action is being taken to remove those delays through a significant increase in resources, but in the meantime urgent applications are being prioritised.”
A spokesperson for Croydon Council said: “We apologise for any delays in our handling of freedom of information or subject access requests and fully take on board the comments and feedback from the ICO. The council remains committed to high-quality information governance and is currently rolling out an improvement plan to strengthen how we respond to requests under data-protection law. Since April, we have boosted our information access team with additional resource, new IT systems, and strengthened our internal processes and oversight – our performance has noticeably improved, and we are working hard to achieve agreed compliance targets by December.”
A spokesperson for Hackney Council said: “Hackney is committed to transparency and ensuring we respond promptly to freedom of information requests and subject access requests (where people request copies of information that the council holds about them) is a priority for us. Our teams are working hard to improve our performance and tackle the challenges presented by the impacts of the pandemic, cyberattack and difficulty recruiting people with the specialist skills needed for this work.
“The council has been working with the Information Commissioner’s Office to keep them informed of the work we are doing. The recommendations that they have provided are in line with our existing action plans and we will review their advice carefully to identify where we might take additional steps to make sure we are achieving the level of performance that our residents rightly expect.”
A statement from Kent Police said: “Kent Police is committed to discharging its responsibilities under the Data Protection Act and strives to ensure that all subject access requests are dealt with in a timely way. Recognising this as an area of business that needed improvement, Kent Police requested that the Information Commissioner’s Office include a review of this area of business as part of the consensual audit which will be undertaken in early October 2022. Following a significant increase in the number of SAR requests between 2019 and 2021, the force had already drawn up a comprehensive improvement plan which was ratified by chief officers and will include looking at ways to respond to subject access requests in a more timely fashion. This will include streamlining current processes to improve response times and an increase in staff who deal with SAR requests.”
A spokesperson for Lambeth Council said: "As a large London council, Lambeth receives a high number of subject access requests every year. Responding to these properly and in good time is a responsibility we take very seriously. During the period in question, the large number of SARs we’d normally expect was increased further by a surge in requests relating to specific areas, including repairs information held about a council properties or tenants. In addition to this, a number of SAR cases reviewed were extremely large and complex: 53 children’s social care requests received in the review period ran to 255 volumes of information, while two overdue cases alone had a combined total of over 50 volumes and 20,000 pages.
“We have, nonetheless, tried to respond to all SARs as quickly as possible, but we apologise for any inconvenience caused by delays. We have been liaising with the Information Commissioner’s Office the UK's data protection regulator, providing information on our updated data protection policies, procedures and compliance statistics since August 2020. It is of utmost importance we continue to make improvements and meet expected standards including responding to SARs properly and in good time and are committed to providing the ICO with an improvement plan and update on our response times during the next six months.”
A spokesperson for Virgin Media said: “We apologise that our handling of subject access requests last year was not to the standard it should have been. We have since put measures in place which have significantly improved our performance and will continue to carefully monitor this.”
The Home Office is yet to provide a response.
Department is censured for the second time in 10 days after probe reveals it took seven months to notify watchdog of breach
Commissioner claims that fining public bodies simply creates a ‘money-go-round’
Personal details of civil servant and supplier exposed by inadequately redacted document, discovered by PublicTechnology
Move to introduce code of practice for the likes of facial recognition and fingerprints is believed to be a world first